The default ntp.conf in Ubuntu contains noquery, so monlist is disabled by default. Sites that need monlist should restrict it from known trusted IPs. Upstream has now removed monlist in ntp in favour of mrulist.
Since the default configuration isn't vulnerable, there is a recommended way to configure it for sites that require it, and the changes would be too intrusive to backport, we have no plans to fix this in our stable releases. When upstream releases 4.2.8, it will likely make it's way to Ubuntu from Debian. ** Bug watch added: Debian Bug tracker #733940 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733940 ** Also affects: ntp (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=733940 Importance: Unknown Status: Unknown ** Changed in: ntp (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1268543 Title: CVE-2013-5211 ntp DDos To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1268543/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
